As hackers find more ways to compromise computers — from phishing to malicious web pages to taking advantage of user carelessness — and cyber-criminals go from pranksters or individual hackers to well-oiled commercial organizations that may even be funded by nation-states, security vendors are developing increasingly sophisticated technologies to help their customers fight back.

With the proliferation of attacks, security companies are being forced to search for new solutions as cyber-criminals go from pranksters or individual hackers to well-oiled commercial organizations that may even be funded by nation-states.

Rather than relying on a human to wade through megabytes, or gigabytes, of security and system log files, looking for those hints that mischief is afoot, they’re applying machine learning and analytics to the problem. Yes, your friendly neighbourhood AI is on the job.

Citrix Systems Inc., a company known mainly for its virtual desktop and remote access technologies, recently announced Citrix Analytics, a cloud-based service which uses machine learning and analytics to identify and remediate many threats, as well as to look at performance issues.

The tool scrutinizes user behaviour and learns what’s normal. It gets its data from its applications, its management tools, and from network activity logged by Citrix NetScaler. It also monitors for actions that are out of policy, for example, if a user tries to access unauthorized files, and assigns risk scores to users based on what they do. Those scores are used to trigger responses from the system, without human intervention.

If someone logs in from an unknown location, or on a new device, they can be authenticated more rigorously than the same person would be when they were sitting at their desk in the office. If their risk score hits predetermined thresholds, the administrator is alerted, and predefined actions performed.

For example, if a user visits a website with a poor reputation (perhaps it is run by a suspected cyber-criminal, or has served malware in the past), that may add 10 points to the risk score. An uncharacteristically large upload volume tacks on another 10, and login from an unknown location ups the score again, to hit a threshold, at which point the system automatically terminates all of the user’s sessions and enables additional authentication requirements.

Fotolia

All of this happens without an administrator’s intervention. The sequence of events, and any alerts, appears on the Citrix Analytics console and the admin can see exactly what was done, and why, by clicking on the alert.

SAS Institute’s security analytics takes a different tack. While it uses network activity data to figure out what’s normal for a user or group of users (it looks at what other machines each one talks to, the type and amount of data that’s exchanged, and when activity occurs), provides alerts, and offers remediation advice to administrators, it does not act on its own.

SAS believes that security personnel should be the ones making the decisions about what should be done; its system just makes sense of the masses of data and isolates what needs attention.

McAfee (which recently reclaimed its name after several years as Intel Security) uses a hybrid approach. Its system can automatically remediate simple threats, while passing the more complex issues on to administrators. The idea is to free security personnel from the day-to-day basics.

The key to all of these smart systems is data. Lots and lots of data, from companies’ internal sources and from their partners (Citrix exchanges data with Microsoft Intelligent Security Graph, for example). And that means another key is the cloud.

Why? Because machine learning, and the AI it powers, needs vast amounts of data to analyze and learn from. The more good data run through a machine learning system, the more it discovers about what’s normal and what’s not.

It can learn the differences between the usage patterns of a user in the Finance department and one in HR, for example, and once it knows those patterns, it can recognize wrongdoing and enforce policies appropriately. The cloud provides the capacity to store all that data, and to perform the analyses.

Lynn Greiner is a freelance journalist specializing in information technology and business topics.